Less than two weeks before Election Day 2020, thousands of Americans were hit with a multipronged attack designed to cause chaos, confusion and fear. Thousands of Democratic voters received emails claiming that the U.S. election infrastructure had been breached. Meanwhile, Republican voters were waking up to a video on Facebook, Twitter and YouTube purporting to show the falsification of absentee ballots.
These seemingly disparate incidents coalesced around a central (but false) narrative: a compromised U.S. election.
Within 27 hours of reports from election officials and law enforcement agents in Florida and Alaska, the U.S. intelligence community had identified the attempt as a coordinated effort by Iranian hackers to spread disinformation and suppress voter turnout. It was the fastest public disclosure of such intelligence by the United States ever and a stunning example of successful threat mitigation—the bad actors were thwarted.
Had officials in Florida and Alaska not acted swiftly, reporting the incidents to appropriate federal partners who were then able to investigate and alert election officials everywhere, the damage could have been more severe.
When it comes to cybersecurity, everyone has a role to play, and legislatures across the country have already taken steps to increase election security. Below we offer lawmakers strategies for combatting the next attack, including free and simple measures that can be put in place today.
1. Understand the Threat Landscape
The first step to successfully combatting cyberattacks, whether in the elections sphere or elsewhere, is to understand the magnitude and scope of the problem. Today’s threat landscape differs from that of years past. While independent hacking groups and cybercriminals continue to wreak havoc and pose unique threats, experts warn of a rise in the number of hacking operations backed by nation-states.
“We are in the most concerning geopolitical environment for cybersecurity—it’s more important now than ever,” says Lindsey Forson, director of cybersecurity programs at the National Association of Secretaries of State.
A 2021 joint report from the U.S. Departments of Justice and Homeland Security revealed efforts by Russian, Chinese and Iranian government-affiliated actors to infiltrate U.S. election networks, including those of political organizations, candidates and campaigns during the 2020 election cycle. Though none of these attempts compromised election results, cyberattacks from sophisticated domestic and foreign adversaries are a constant threat and should always be taken seriously.
To put the threats in perspective: “Everything is stacked in the bad actors’ favor; think of this as your smallest districts fighting against Russia,” says Kim Wyman, senior election security advisor at the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security.
2. Evaluate Your State’s Cybersecurity Practices
With the broader context under your belt, it’s time to home in on your state’s cybersecurity practices. “Go to your local election office and ask them to walk you through the path of the ballot,” Wyman says. Engaging with local election officials is generally a good practice when considering any policy change, but it can be particularly helpful for understanding security measures.
Ask questions: What security measures are in place? Where do security vulnerabilities exist? What threats have been detected? And remember that a local election office is only one part of a larger technology ecosystem—the voter registrations are aggregated at the state-level, for example. Hackers might seek to gain access to, say, the voter registration system or the election management system through a variety of entry points. So, while the local election office might have some cybersecurity safeguards in place, the broader networks used at the county and state levels should also be examined for a more holistic cybersecurity assessment. This means having conversations about cybersecurity with those outside the election office, such as the county or state IT departments.
3. Pick the Low-Hanging (Cyber) Fruit
Understanding the mechanics of cybersecurity comes with a steep learning curve. The good news is that plenty of free resources and tools are available to help election officials in their efforts to strengthen security.
One free and easy step states can take is to require election offices to adopt a .gov domain for all official government websites. As a sponsored top-level domain, .gov is more secure than alternatives like .us or .com. It also provides an easy way to identify trusted election information—as in, “If it’s not .gov, it’s not us,” says Marci Andino, director of the Elections Infrastructure Information Sharing and Analysis Center.
Part of the nonprofit Center for Internet Security, which develops best practices for securing IT systems and data, the information sharing center is an invaluable resource for the elections community. Membership is free, voluntary and includes access to a suite of resources, such as guidance on security, incident reporting and remediation, and notifications of possible threats. States could encourage—or perhaps require—election offices to join.
Members also receive access to tools and services such as the Malicious Code Analysis Platform, which allows users to submit suspicious items for threat analysis; the Vulnerability Management Program, which provides monthly notifications on outdated software that could pose security risks; and Malicious Domain Blocking and Reporting, which preemptively blocks network traffic from hazardous web domains capable of perpetrating malware, ransomware and phishing attacks.
4. Be an Advocate for Your State’s Elections
“It’s very hard to change an election, but it’s very easy to cause confusion,” Wyman says. “The goal of our adversaries is to sow confusion.” As part of their voter email deluge in 2020, the Iranian hackers also claimed to have infiltrated America’s elections infrastructure. This claim was disproven, but it did propagate a damaging narrative: You can’t trust the system, so you shouldn’t vote. “They’re pitting Americans against each other, and it’s working,” Wyman adds.
Countering this kind of false narrative is hard—but legislators can help. As leaders and trusted community members with more experience with election processes than the public, legislators are well positioned to respond to mis-, dis- and malinformation that can undermine public trust. The May 2022 issue of “The Canvass” offers seven considerations for talking about elections with constituents, informed by the perspectives and experiences of fellow state legislators.
5. Make Cybersecurity a Legislative Priority
While many cybersecurity measures are free and do not require enabling legislation, others might.
In recent years, states have enacted a variety of measures relating to election cybersecurity. Washington state exempted sensitive election infrastructure and cybersecurity information from public records requests in 2021, so that bad actors can’t ask for the keys to the castle (or the details of cybersecurity protections). Louisiana adopted a similar measure in 2020, while separately requiring annual cybersecurity training for every employee using computer networks managed by the secretary of state. In 2019, Texas required the secretary of state to offer cybersecurity courses for county election officers, who are required to complete such training each year. The bill also outlines reporting requirements for known cybersecurity breaches.
Indiana enacted legislation in 2020 requiring counties to use threat analysis and cyber and physical security services through the secretary of state’s office. In 2019, California authorized the secretary of state to require data security training for officials handling voter registration information.
In recent years, states have also implemented cyber navigator programs—an individual or team at the state level helping local election officials take cybersecurity precautions. At least seven states—Florida, Illinois, Iowa, Massachusetts, Michigan, Minnesota and Ohio—have such programs in place. Illinois became the first state to establish a cyber navigator program after the 2016 election, and it did so through legislation.
6. Stay the Course
“People say, ‘Oh, our machines aren’t connected to the internet, we’re fine,’” says Andino, with the Elections Infrastructure Information Sharing and Analysis Center. “No, it’s bigger than that. Cybersecurity is an ongoing process—you can’t just tick a box and say you’re done. Election officials must protect all aspects of their critical elections infrastructure.”
The bad actors are working full time, so monitoring cybersecurity threats is a 24/7 task, too. Andino says states don’t have to go it alone. Take advantage of free resources and consider enacting legislation to establish safeguards or strengthen existing ones.
It only takes one intrusion to cast doubt and sow confusion. But armed with the proper tools, states can thwart attacks and strengthen election resilience.
Saige Draeger is a policy associate in NCSL’s Elections and Redistricting Program.